[X2Go-Commits] [x2goclient] 02/02: src/httpbrokerclient.cpp: do not leak password length in debug output either.

[git-admin at x2go.org]

This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch master
in repository x2goclient.

commit 132603ebdd04ba934f77b5767c71c48ed8973af2
Author: Mihai Moldovan <ionic at ionic.de>
Date:   Mon Sep 30 19:29:29 2019 +0200

    src/httpbrokerclient.cpp: do not leak password length in debug output either.
---
 debian/changelog         | 2 ++
 src/httpbrokerclient.cpp | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 2ba277b..132f9d5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -116,6 +116,8 @@ x2goclient (4.1.2.2-0x2go1) UNRELEASED; urgency=medium
       #1393.
     - res/i18n/x2goclient_*.ts: replace changed source strings, no
       retranslations required.
+    - src/httpbrokerclient.cpp: do not leak password length in debug output
+      either.
   * debian/control:
     + Add build-depend on pkg-config.
   * x2goclient.spec:
diff --git a/src/httpbrokerclient.cpp b/src/httpbrokerclient.cpp
index d264c11..e41e9d6 100644
--- a/src/httpbrokerclient.cpp
+++ b/src/httpbrokerclient.cpp
@@ -893,7 +893,9 @@ QString HttpBrokerClient::scramblePwd(const QString& req)
         {
             plength=endPos-startPos;
         }
-        scrambled.replace(startPos,plength,'*');
+        scrambled.remove(startPos, plength);
+        // Hardcode a value of 8 here - the length of the string "password".
+        scrambled.insert(startPos, QString ('*').repeated (8));
     }
     return scrambled;
 }

--
Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/x2goclient.git